lib/promauth: cache the client TLS certificate for up to a second

This should reduce CPU usage when TLS connections are established at a high rate.
2024-11-21 14:44:00 +00:00 · 2021-07-02 13:20:15 +03:00 · 2021-07-02 13:20:15 +03:00 · 6e406083f2
commit 6e406083f2
parent a93da746c0
1 changed files with 20 additions and 1 deletions
--- a/lib/promauth/config.go
+++ b/lib/promauth/config.go
@ -210,7 +210,26 @@ func (ac *Config) NewTLSConfig() *tls.Config {
 	if ac == nil {
 		return tlsCfg
 	}
-	tlsCfg.GetClientCertificate = ac.getTLSCert
+	if ac.getTLSCert != nil {
+		var certLock sync.Mutex
+		var cert *tls.Certificate
+		var certDeadline uint64
+		tlsCfg.GetClientCertificate = func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			// Cache the certificate for up to a second in order to save CPU time
+			// on certificate parsing when TLS connection are frequently re-established.
+			certLock.Lock()
+			defer certLock.Unlock()
+			if fasttime.UnixTimestamp() > certDeadline {
+				c, err := ac.getTLSCert(cri)
+				if err != nil {
+					return nil, err
+				}
+				cert = c
+				certDeadline = fasttime.UnixTimestamp() + 1
+			}
+			return cert, nil
+		}
+	}
 	tlsCfg.RootCAs = ac.TLSRootCA
 	tlsCfg.ServerName = ac.TLSServerName
 	tlsCfg.InsecureSkipVerify = ac.TLSInsecureSkipVerify